I'm a technology, privacy, and information security reporter and most recently the author of the book This Machine Kills Secrets, a chronicle of the history and future of information leaks, from the Pentagon Papers to WikiLeaks and beyond.
I've covered the hacker beat for Forbes since 2007, with frequent detours into digital miscellania like switches, servers, supercomputers, search, e-books, online censorship, robots, and China. My favorite stories are the ones where non-fiction resembles science fiction. My favorite sources usually have the word "research" in their titles.
Since I joined Forbes, this job has taken me from an autonomous car race in the California desert all the way to Beijing, where I wrote the first English-language cover story on the Chinese search billionaire Robin Li for Forbes Asia. Black hats, white hats, cyborgs, cyberspies, idiot savants and even CEOs are welcome to email me at agreenberg (at) forbes.com. My PGP public key can be found here.

Disable Java In Your Browser To Avoid A Nasty New Malware-Spreading Attack

With a new attack that targets a security vulnerability in Oracle’s Java spreading through the hacker underground and no available fix in sight, it may be time for users to deal with the plugin’s bug themselves–by unplugging it.

Over the weekend, security firm FireEye spotted a new attack that exploits a vulnerability in Java to install a piece of malware known as the Poison Ivy Trojan on target machines, which communicates with command and control servers in China and Singapore.

While FireEye says the attacks seem to be limited to a small number of targets for the moment, expect them to spread soon. The Java exploit has already been added to the commonly-used Metasploit kit. And most troubling for users, Oracle typically patches Java three times a year, with its next update nearly two months away.

“It’s just a matter of time that a [proof-of-concept] will be released and other bad guys will get hold of this exploit as well,” write FireEye’s researchers. “It will be interesting to see when Oracle plans for a patch, until then most of the Java users are at the mercy of this exploit.”

In the meantime, users can simply turn Java off in their browsers, a move that means sacrificing functionality on some websites but prevents possible “drive-by download” attacks that invisibly infect PCs via the Web.

For instructions on how to disable Java in Firefox, Chrome and Safari, click here. For instructions on disabling it in Internet Explorer, click here. The newly spreading exploit affects version 7–versions 6 and earlier aren’t targeted by the latest exploit. But given that those prior versions have their own security flaws, researchers are recommending users disable Java rather than simply downgrade to earlier, equally insecure version.

When visiting sites that require Java, security blogger Brian Krebs suggests users switch to a secondary browser with Java installed, using the Java-less browser for their normal browsing and only occasionally switching to the Java-enabled one. That strategy is far from a perfect fix, but it’s safer for the moment than using the Web with a vulnerable Java fully enabled.

Java’s vulnerability as attack point is nothing new: Cybercriminals have integrated attacks against older versions of Java into the commonly-used Black Hole exploit kit since March. In April, Flashback malware infected more than 600,000 Macs using a Java vulnerability. In response to Flashback, Apple disabled Java by default and set it to automatically disable itself again if a user turns it on but doesn’t use it for a certain period of time.

For those who refuse to part with Java–even until Oracle issues a fix for the latest exploitable bug–researchers Andre Di Mino and Mila Parkour have created their own patch for the vulnerability, though they warn that it has had “limited testing” and suggest users instead simply disable the plugin.

In releasing their patch, Di Mino and Parkour also took the opportunity to point fingers at Oracle, whose lax patching has left Java users vulnerable for months at a stretch, and Rapid 7, the firm that owns the toolset Metasploit and has already updated it to include the Java-hacking exploit.

“Feel free to contact Oracle and ask them about their patch cycles,” the researchers’ note reads. “You can also contact Rapid 7 and ask if they ever heard of Social responsibility.’”

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

After getting a new gaming computer a few months ago I decided to leave Java and Flash off the computer completely. Now I no longer get the usual monthly warning from my anti-virus that something has been found and my anti-spyware hasn’t found anything either. If I would have known that getting rid of both of those pieces of garbage software would have reduced my exposure to malware, I’d have gotten rid of them long ago.

Well another thing to worry about eh? If its one thing or not, then its another, meanwhile prechers and ministers are expecting a catacylismic anytime soon, and even of China and Russia might just decide to attack us from both sides all at once. How many US Americans get to sleep on an adiquate mattress any how? Well who cares anyhow, and how many baby boomers walk around with dentle problems right now, even a tooth that was abcessed but now has a temporary cap over it and time is running out, because it now needs to be fixed with a root canal? Meanwhile now we have to worry about whether we can stay in touch, by internet because we didn’t have a congress that even cared a damn about the American people ever getting to see their relatives by way of automobile, instead they sat by and let the prices of gasoline go up steadily. Well who did it hurt in the long run, yes the POOR and Broken Middle Class yet it seems all we do is get another scare to bend our attention another way. We need to realize what’s really happening. We don’t need Salesmanship and we don’t need talk, talk that has holes in it, talk that mandate the wealthy be left alone, because they will always bring us jobs, We need to listen to Buffet when he said, as a billionaire I am not being taxed enough, and we need to share the spread and unfairness more to spread it across the board making it more fair. Don’t know about you, but I get gutted every year from taxes, I wonder what would the rich say if they lost 50% of their money each year by paying a fair share of taxes. Well may be we need a world war that involves four different wars going on at the same time, that would take 90% taxes from us to support and then we might remember the Sales talk we all got from our tv screens, we need more than just talk, we all need to see specifics, yes specifics on just how more jobs are expected to come, in such a massive manner and so quickly. I know one thing, we as a people can not afford phoney politics, and this will be the slow death of our country, and certainly this election is all about what women are going to do, they control 50% of the vote, so they in their manner can control the outcome of this election. But we all need to realize that we need something better than the Rich get Richer with each new election cycle. That is what I think, now What do you think?